On 3/30/26 5:47 PM, Nico Williams wrote:
On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
Yeah I didn't mean stateless in the way you're interpreting it, I get what
you mean. It's only "stateless" in the sense that the typical orchestration
problem of managing a KDC, i.e. registering and deregistering client and
service principals in the KDC database, is avoidable. [...]
I would call this read-only KDCs, or mostly-read-only KDCs.
That's the idea. When I wrote "stateless" it was with respect to the
database state, not protocol state. And even then, there's some hand
waving implied.
Perhaps I didn't express it well. The feature I'm relying on is _not_ that
kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
key periodically from the FS rather than reading only once at startup. I.e.
FS?
file system
the assumption is that the pkinit cert+key is going to be refreshed "by
other means" (in my case via HCP attestation, in other cases it'll be
whatever PKI tooling keeps creds up to date), so what I'm relying on is that
the kinit instance will consume those updates to the cred over time (from
the FS), without requiring a restart.
The heimdal "kinit -C" does seem to do this.
Are you referring to the mode of kinit where it runs a command and keeps
it supplied with fresh tickets? MIT Kerberos' kinit does not have that
mode.
Yes that's what I'm referring to. If it's not yet supported by the MIT
kinit, I would certainly recommend that it be added, it's very helpful.
Cheers,
Geoff
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
